#!/bin/bash

echo "🔍 检查SSL证书配置..."

# 检查SSL目录是否存在
if [ ! -d "ssl" ]; then
    echo "❌ SSL目录不存在，正在创建..."
    mkdir -p ssl
fi

# 自动获取域名配置
CONFIG_JS="config.js"
if [ -f "$CONFIG_JS" ]; then
    PROD_DOMAIN=$(grep 'productionDomain:' "$CONFIG_JS" | head -n1 | awk -F "'" '{print $2}')
fi
if [ -z "$PROD_DOMAIN" ]; then
    CONFIG_FILE="system-config.json"
    if [ -f "$CONFIG_FILE" ]; then
        BASE_URL=$(grep '"baseUrl"' "$CONFIG_FILE" | head -n1 | awk -F '"' '{print $4}')
        PROD_DOMAIN=$(echo "$BASE_URL" | sed -E 's#^https?://([^/:]+).*#\1#')
    fi
fi
if [ -z "$PROD_DOMAIN" ]; then
    echo "❌ 未检测到域名配置，请在 config.js 的 productionDomain 字段或 system-config.json 的 baseUrl 字段中配置域名！"
    exit 1
fi

SSL_KEY="ssl/${PROD_DOMAIN}.key"
SSL_CRT="ssl/${PROD_DOMAIN}.crt"

echo "📁 检查SSL证书文件..."

if [ ! -f "$SSL_KEY" ]; then
    echo "❌ SSL私钥文件不存在: $SSL_KEY"
    echo "请将您的SSL私钥文件放置到: $SSL_KEY"
    echo ""
    echo "📋 需要的文件："
    echo "  - $SSL_KEY (私钥文件)"
    echo "  - $SSL_CRT (证书文件)"
    echo ""
    echo "💡 如果您还没有SSL证书，可以："
    echo "  1. 从您的域名提供商获取SSL证书"
    echo "  2. 使用Let's Encrypt免费证书"
    echo "  3. 生成自签名证书用于测试"
    exit 1
fi

if [ ! -f "$SSL_CRT" ]; then
    echo "❌ SSL证书文件不存在: $SSL_CRT"
    echo "请将您的SSL证书文件放置到: $SSL_CRT"
    exit 1
fi

echo "✅ SSL证书文件存在"

# 检查证书格式
echo "🔍 验证证书格式..."

# 检查私钥格式
if ! openssl rsa -in "$SSL_KEY" -check -noout >/dev/null 2>&1; then
    echo "❌ SSL私钥格式错误"
    echo "请确保私钥文件是PEM格式的RSA私钥"
    exit 1
fi

# 检查证书格式
if ! openssl x509 -in "$SSL_CRT" -text -noout >/dev/null 2>&1; then
    echo "❌ SSL证书格式错误"
    echo "请确保证书文件是PEM格式的X.509证书"
    exit 1
fi

echo "✅ SSL证书格式正确"

# 检查证书和私钥是否匹配
echo "🔍 检查证书和私钥是否匹配..."

CERT_MODULUS=$(openssl x509 -in "$SSL_CRT" -modulus -noout | openssl md5)
KEY_MODULUS=$(openssl rsa -in "$SSL_KEY" -modulus -noout | openssl md5)

if [ "$CERT_MODULUS" != "$KEY_MODULUS" ]; then
    echo "❌ SSL证书和私钥不匹配"
    echo "请确保证书和私钥是配对的"
    exit 1
fi

echo "✅ SSL证书和私钥匹配"

# 检查证书域名
echo "🔍 检查证书域名..."

CERT_DOMAIN=$(openssl x509 -in "$SSL_CRT" -text -noout | grep -A1 "Subject Alternative Name" | grep DNS | head -1 | sed 's/DNS://g' | tr -d ' ')
if [ -z "$CERT_DOMAIN" ]; then
    CERT_DOMAIN=$(openssl x509 -in "$SSL_CRT" -text -noout | grep "Subject:" | sed 's/.*CN = //' | sed 's/,.*//')
fi

echo "📋 证书域名: $CERT_DOMAIN"
echo "📋 配置域名: $PROD_DOMAIN"

if [ "$CERT_DOMAIN" != "$PROD_DOMAIN" ]; then
    echo "⚠️  警告: 证书域名与配置域名不匹配"
    echo "   证书域名: $CERT_DOMAIN"
    echo "   配置域名: $PROD_DOMAIN"
    echo ""
    echo "💡 建议："
    echo "  1. 使用匹配的SSL证书"
    echo "  2. 或者修改nginx.conf中的域名配置"
fi

# 检查证书有效期
echo "🔍 检查证书有效期..."

CERT_EXPIRY=$(openssl x509 -in "$SSL_CRT" -enddate -noout | cut -d= -f2)
echo "📅 证书过期时间: $CERT_EXPIRY"

# 检查是否过期
if openssl x509 -in "$SSL_CRT" -checkend 0 -noout >/dev/null 2>&1; then
    echo "✅ 证书未过期"
else
    echo "❌ 证书已过期"
    exit 1
fi

# 检查30天内是否过期
if openssl x509 -in "$SSL_CRT" -checkend 2592000 -noout >/dev/null 2>&1; then
    echo "✅ 证书30天内不会过期"
else
    echo "⚠️  警告: 证书将在30天内过期"
fi

echo ""
echo "✅ SSL证书检查完成"
echo ""
echo "🚀 现在可以重新部署服务："
echo "   ./docker-deploy-all.sh deploy" 